Fluent D record_transformer插件和Ruby最终可与elasticsearch，Kibana一起使用

Question

I am currently using the fluentd record_transformer plugin to transform syslog messages. I wanted to know how to implement this set of c++ commands in ruby to find a comma and get a substring up to that position and store it in a new field (Duration):

std::string str="We think in generalities, but we live in details.";
std::size_t pos = str.find(',');
std::string newstring = str.substr (3,pos);

I have tried :

<filter xyz.**>
@type record_transformer
enable_ruby true
<record>
Duration ${record["message"][32..(("message".index(/\,/,32)).to_i)]}
</record>

But have been unsuccessful. I acknowledge this is a rather basic question, but all help will be greatly appreciated.

Answer 1

<source>
  @type dummy
  dummy {"message": "We think in generalities, but we live in details."}
  tag dummy
  @label @INPUT
</source>

<label @INPUT>
  <filter>
    @type record_transformer
    enable_ruby true
    <record>
      duration ${record["message"].slice(/,([^,]{3})/, 1)}
    </record>
  </filter>
  <match>
    @type stdout
  </match>
</label>

This will print like followings:

2018-09-12 19:29:08.029546388 +0900 dummy: {"message":"We think in generalities, but we live in details.","duration":" bu"}
2018-09-12 19:29:09.031650493 +0900 dummy: {"message":"We think in generalities, but we live in details.","duration":" bu"}
2018-09-12 19:29:10.033424279 +0900 dummy: {"message":"We think in generalities, but we live in details.","duration":" bu"}

If you want to parse syslog format lines, you can use https://docs.fluentd.org/v1.0/articles/parser_syslog instead of filter_record_transformer.